Uninstalling AIR responders

There are several ways to uninstall the AIR responder from assets and these include using the AIR console or working on the actual asset.

It is important to understand that you should only remove the responder if you have no intention of revisiting the asset for further investigations. If you do need to do so, then a fresh responder deployment will be needed.

From the Assets button in the Main Menu it is possible to select one or multiple assets and then, via the Bulk Action Bar, choose to either 'Uninstall a responder' or to 'Uninstall responder and purge console data'.

It is also possible to uninstall an responder from the individual asset's, Asset Info page by selecting option from the Asset Actions drop down menu:

The 'Uninstall responder' will remove the AIR application from any selected assets.

The 'Uninstall responder and purge console data' option will remove the AIR application from the selected assets and delete the data saved from the assets for the console. All associated Tasks (eg; Timeline) will also be deleted from the console. Data saved to Remote Storage, and locally saved data on the asset will remain intact. interACT or normal asset management tools can be used to remove this data.

Password Protection for AIR Responder Uninstallation

Responder uninstallation through the local OS UI is disabled.

Local users of assets can only uninstall the AIR responder if they have access to the AIR generated password to do so.

The responder can only be uninstalled using shell commands with the protection password as an argument, locally or remotely (e.g., SCCM).

Uninstallation via the AIR UI or API remains possible without requiring a password.

AIR provides Tamper Detection for the AIR responder - Your audit logs will record

Uninstalling on Windows assets

Graphical User Interface (GUI) Method

To gracefully uninstall the responder application from your Windows operating system, follow these steps:

  1. Navigate to the Control Panel.

  2. Access the "Add/Remove Programs" feature.

  3. Locate and select the Binalyze AIR Responder application from the list.

  4. Choose the option to uninstall.

Command Prompt Method

You can also uninstall the responderapplication using the command prompt with the following methods:

Using Product Code

To uninstall via the product code, execute the following steps:

  • Identify the product code of the responder using PowerShell:

get-wmiobject Win32_Product | Sort-Object -Property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize
  • Copy the identified product code.

  • Uninstall the responder using msiexec:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}"

Using Original MSI File

If you possess the original MSI file of the responder, you can proceed as follows:

msiexec /x "C:\Users\hio\Downloads\AIR.responder_2.25.0_air-dev.binalyze.com_44_4ce0820f14f6461a_amd64_.msi"

In either method, you can efficiently uninstall the responder application from your system.

Uninstalling a Password-Protected responder

To uninstall a password-protected responder, you can specify your uninstall password with the property UNINSTALL_PASSWORD by using the command prompt with the following command:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}" UNINSTALL_PASSWORD="my-password"

Uninstallation File and Directory Cleanup Process

When uninstalling the Binalyze AIR responder program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the responder before the service is deleted.

  • Utils Directory: The utils binaries located in the responder's installation directory are removed. If the installation directory is C:\Program Files (x86)\Binalyze\AIR\responder, folder can be found in:

    • C:\Program Files (x86)\Binalyze\AIR\responder\utils\

  • Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This can be found in one of the following paths.

    • C:\Users\[user]\AppData\Local\Temp\BinalyzeUploadTemp

    • C:\Windows\TEMP\BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for temporary storage of update files is cleared. This file can be found in one of the following paths.

    • C:\Users\[user]\AppData\Local\Temp\BinalyzeUpdateTemp

    • C:\Windows\TEMP\BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading MSI binaries, If the windows system directory is C:\, the path can be found as follows.

    • C:\BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is C:\Windows\TEMP\, the paths can be found as follows.

    • C:\Windows\TEMP\Binalyze

    • C:\Windows\TEMP\BinalyzeTemp

On Windows systems, the program selects the first non-empty value from the environmental variables %TMP%, %TEMP%, %USERPROFILE%, or the Windows directory for temporary storage.

Uninstalling on Linux assets

On Ubuntu and Debian

  1. Open a terminal window.

  2. To uninstall the binalyze-air-responder package, use the following command:

    sudo apt remove binalyze-air-responder

    This command will uninstall the package.

On CentOS, Fedora, Redhat and similar distributions (using dnf)

  1. Open a terminal window.

  2. To uninstall the binalyze-air-responder package, run the following command:

    sudo dnf remove binalyze-air-responder

    This command will uninstall the package.

Uninstallation File and Directory Cleanup Process

When uninstalling the binalyze-air-responder program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains.

  • Drone Config File: Drone config file located in the responder’s installation directory. If the installation directory is /opt/binalyze/air/responder, file can be found in:

    • /opt/binalyze/air/responder/DRONE.Config.yml

  • Utils Directory: The utils binaries located in the responder's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/responder, folder can be found in:

    • /opt/binalyze/air/responder/utils

  • Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for temporary storage of update files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading deb or rpm binaries, If the Linux temp directory is /tmp, the folder can be found as follows.

    • /tmp/BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.

    • /tmp/Binalyze

    • /tmp/BinalyzeTemp

  • Persistent Folder: The persistent folder can be found in:

    • /var/lib/binalyze

  • Config File: Config file is located in the responder’s installation directory. After deleting the responder, the configuration file is deleted. If the installation directory is /opt/binalyze/air/responder, the file can be found in:

    • /opt/binalyze/air/responder/config.yml

On Linux systems, it returns $TMPDIR if non-empty, else /tmp.

Uninstalling on macOS assets

To initiate the uninstallation process for the responder via the Terminal on macOS, execute the following command:

sudo /opt/binalyze/air/responder/air --uninstall

This command, executed within the Terminal, will seamlessly guide you through the removal of the responder application from your macOS system.

Uninstalling a Password-Protected Responder

To uninstall a password-protected responder, you can specify your uninstall password with the environment variable AIR_UNINSTALL_PASSWORD by using the command prompt with the following command:

AIR_UNINSTALL_PASSWORD="my-password" sudo -E /opt/binalyze/air/responder/air --uninstall

Uninstallation File and Directory Cleanup Process

When uninstalling the com.binalyze.air-responder program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the responder after the package info is deleted.

  • Utils Directory: The utils binaries located in the responder's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/responder, folder can be found in:

    • /opt/binalyze/air/responder/utils

  • Binaries: If the installation directory is /opt/binalyze/air/responder, these files located in:

    • /opt/binalyze/air/responder/air

    • /opt/binalyze/air/responder/tactical

    • /opt/binalyze/air/responder/drone

  • Config File: This file located in the responder’s installation directory. If the installation directory is /opt/binalyze/air/responder, file can be found in:

    • /opt/binalyze/air/responder/config.yml

  • Drone Config File: This file located in the responder’s installation directory. If the installation directory is /opt/binalyze/air/responder, file can be found in:

    • /opt/binalyze/air/responder/DRONE.Config.yml

  • Service File: This file can be found in:

    • /Library/LaunchDaemons/com.binalyze.air-responder.plist

  • Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for temporary storage of update files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading pkg binaries, If unix temp directory is /tmp, the folder can be found as follows.

    • /tmp/BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.

    • /tmp/Binalyze

    • /tmp/BinalyzeTemp

  • Persistent Folder: The persistent folder can be found in:

    • /var/lib/binalyze

On Unix systems, it returns $TMPDIR if non-empty, else /tmp.

Last updated